Question about securing accounts in a domain

sharpy56 · May 2016

Hi All,

This has come up a couple of times and wanted to get different inputs to the following scenario:

Setting up a "guest" account that is able to roam around a domain network and login to all workstations. A proxy server could be put in place for internet filtering. The account needs to be locked down for security purposes and only have access to the internet (no other access to the network).

The network in the scenario is running Microsoft OS Server 2008 R2.

Is there a way this has been safely implemented in the past?

Regards,
The Sharp

TheFORCE · May 2016

Yes it has, it's called disabling the guest account. From my experience having worked in different companies we always disabled the guest account. Every employee should have a unique account that is tied to an individual. Guest accounts will not allow you to track, log or audit thw activity of users since you will not be able to tell with certainty who performed an action. In the Infosec world it's called "non repudiation", a user cannot deny that they performed a certain action. So basically having a guest account is not a good idea.

636-555-3226 · May 2016

I love this question. Give me a generic account that can log into all workstations and I'll pwn your network in a short while. Things like this are a hacker's dream.

To ask the generic question - what problem are you trying to solve? There's a better way to do whatever you're trying to do.

blargoe · May 2016

Yes, we need more context here.

cyberguypr · May 2016

What is the purpose of this? I'm assuming everyone internally has their own set of credentials so is the goal to give this account to visitors or something? Let's hear the context before I go off on a rant on what a horrible idea this is.

TechGuru80 · May 2016

I take it the account needs the ability to use CD/DVD and USB ports?

Physical access is just the start of issues in the situation stated it sounds like...

PJ_Sneakers · May 2016

What would be the reason to do this? I can't think of a reason to do this that doesn't boil down to laziness.

kiki162 · May 2016

Don't EVER touch the Guest account!!!!

Instead make a specific domain account that is a member of a separate group. Define what needs to be "locked down" within the network. To test the account, you can make a separate OU and block inheritance. Place a separate GP in that OU, and test away.

If you want to define what needs to be locked down and need help on how to do that, feel free to post here.

ITSpectre · May 2016

Guest account = Disaster waiting to happen. Nothing is worse then giving a end user the ability to "free roam" on a Network. Leave the guest account alone. Create a normal user account for said user and leave it at that... if they need specific permissions then they have to have a reason to have them. Some users think they should have admin rights so they can install programs.... but there is a reason why users don't have admin rights.

If you want an account to be locked down for network access only... just create a user account in ADUC and there you go. set the permissions and your done...

Enable the guest account at your own risk!!!

markulous · May 2016

What is the exact purpose of this? I.e. what is the problem that you are trying to fix? I don't think this is the solution either way.

Question about securing accounts in a domain

Comments